How identity data is turning toxic for big companies

December 4, 2017
by Bhargav Mitra And Robert Mccausland, The Conversation

We want your data. Credit: gualtiero boffi / Shutterstock.com

Google might be in trouble for collecting the personal data of its users, but many companies have a growing incentive to rid their hands of the data that users entrust them with. This is because of growing costs of holding onto it.

A major cause is the rising number of cyber attacks where hackers steal the identity information held by companies, often to sell them on to various black markets. Take the recent example of US giant Equifax, one of the top three companies in the consumer credit reporting industry. It chalked up another 2.5m identity-theft casualties to its existing toll of 143m in October 2017. The firm has suffered a steady stream of identity information loss following a cyber-attack that took place in May this year, where hackers capitalised on weaknesses in its software.

The security breach – as a primary cause – resulted in around US$4.8 billion being wiped off Equifax's market value from May to September 2017. It also tarnished its image and cost the firm's longstanding CEO his job.

The Equifax data breach is just the tip of the iceberg. The latest Breach Level Index (BLI) published by digital security company Gemalto shows a mounting figure of around 9.2 billion data-record losses since 2013. The BLI also reports that only a meagre 368m out of the 9.2 billion stolen records were concealed from potential hackers through the use of data-encoding technology.

The rate at which valuable identity information is flying out of the control of firms is alarming – more than 3,500 records per minute. Around 23% of the top data-breaches over the past five years contained consumers' identity information – like names, dates-of-birth, addresses and account passwords. Corporate victims include big names such as Yahoo, eBay and JP Morgan Chase.

The volume and sophistication of these cyber-assaults will make top-level executives of firms that hold sensitive identity data anxious about its safe-keeping.

Growing cost of regulation

As well as cyber attacks, companies are having to contend with growing levels of regulation. As well as the regulations of the jurisdiction they are based in, when firms are spread across nations, they must also abide by international standards.

The costs of this compliance in the banking sector is increasing at an alarming rate. One report has found that banks spent nearly US$100 billion on compliance in 2016 and the global spending on meeting the regulatory requirements increased from 15% to 25% over the previous four years. This skyrocketing spend on compliance leaves little room for product development.

It has now become imperative for companies holding information on EU citizens to implement control mechanisms to protect personal data in accordance with the EU's strict General Data Protection Regulation (GDPR) guidelines. GDPR, in essence, is about enhancing existing privacy protection. It will be enforced from May 25, 2018.

Non-compliance with GDPR may lead to fines to the tune of €20m or 4% of a firm's global annual sales figure – whichever is greater. Already, implementing the necessary steps to adhere to the new regulation is proving to be expensive for organisations – especially firms with diverse and intertwined business portfolios.

Some estimates predict that purchasing the technology to adhere to the GDPR standards and avoid paying the exorbitant fines will cost Fortune 500 companies on average US$1m each. Add to this the costs of permanent staffing and legal advice for this compliance, you get the picture of overall spending required for one set of regulatory standards. Clearly, the price of such compliance will compel large organisations to explore the burgeoning market of cost-effective and innovative regulatory technology.

A logical solution?

At the point where the cost of protecting identity assets outweighs the benefit of storing it, it becomes toxic for the organisation. As with any risk, companies must act to mitigate or remove it – in this case breach of identity data. When similar risks emerged around the processes for securing payment card processing, solutions focused on tokenisation of card information within an organisation to minimise handling of clear text credit card numbers. It is hard to see how a similar approach could be applied to a multifaceted entity such as identity.

However there is a potential in the application of decentralised technologies that have emerged from the development of cryptocurrencies such as Bitcoin. In these models people could choose whether a centralised entity – such as a bank, for example – would manage their identity or whether they could manage it themselves. Models for a decentralised identity are emerging with parallel developments in the creation of a decentralised web.

There are a number of challenges for both private individuals and the traditional identity provider to overcome for this move to become a reality – including wider adoption of peer-to-peer trust models. But it seems increasingly possible that the cost of cyber attacks, together with regulatory compliance, could be the nudge that drives organisations to surrender their control over vast pools of identity information.

Related Stories

A major American credit reporting agency entrusted to safeguard personal financial information said Thursday hackers looted its system in a colossal breach that could affect nearly half the US population as well as people ...

Equifax has replaced two senior executives entrusted with watching over its computers, after the credit reporting agency revealed it suffered a major hack that led to one of the worst-ever breaches of personal data.

Recommended for you

Micro-grippers may be able to navigate unstructured environments and could help reduce risk during surgeries, according to a study published December 13, 2017 in the open-access journal PLOS ONE by Federico Ongaro from the ...

Cracking the German Enigma code is considered to be one of the decisive factors that hastened Allied victory in World War II. Starting with clues derived from espionage, computer scientists were able to work out the rules ...

Massachusetts Institute of Technology researchers can now predict how much energy solar cells will produce at any location worldwide. Surprisingly, they identified that two types of solar cells (silicon and cadmium telluride) ...

Consumers across the world enjoy Greek yogurt for its taste, texture, and protein-packed punch. Reaching that perfect formula, however, generates large volumes of food waste in the form of liquid whey. Now researchers in ...

How sensitive is the human sense of touch? Sensitive enough to feel the difference between surfaces that differ by just a single layer of molecules, a team of researchers at the University of California San Diego has shown.

Computer scientists have built and successfully tested a tool designed to detect when websites are hacked by monitoring the activity of email accounts associated with them. The researchers were surprised to find that almost ...

0 comments

Please sign in to add a comment.
Registration is free, and takes less than a minute.
Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.